You are not allowed to access 'a particular str' in this context
Hi all, I have a rather strange Problem. I have a PersistentList containing PersistentMapping objects. [{'Status': 'Read', 'Confirm': False, 'Read': DateTime('2008/01/24 16:03:32.508 GMT+1'), 'Expires': None, 'SenderID': 'DC83D1F1DB88CDE8', 'Date': DateTime('2008/01/24 15:51:50.998 GMT+1'), 'Message': 'Da ist ein permission test', 'ID': '20080124155150_4641@DC83D1F1DB88CDE8'}] When do a tal:repeat="message here/getMessages" and a tal:replace="message" everything functions as expected. When i try tal:replace="message/ID" I get an Unauthorized Exception "You are not allowed to access 'a particular str' in this context" I can access all DateTime objects. Only the strings a not allowed. There is no difference when getMessages return of the Original list and when I build a new list with copies of the PersistentMapping objects. To get this working I have to create new Dictionary from the Persistent Mappings add them to an normal List and return this list. ret = [] for test in self.msglist : temptest = {} for (key,value) in test.items() : temptest[key] = value ret.append(temptest) return ret That's a real performance killer as the list is read quite frequently. Any Idea how to fix this. Gerhard -- ------------------------------------------------- Gerhard Schmidt | E-Mail: schmidt@ze.tum.de TU-München | WWW & Online Services | Tel: 089/289-25270 | Fax: 089/289-25257 | PGP-Publickey on request
Does this problem only occure with message/ID ? Or also with message/Message or message/SenderId ? Which version of zope are you using? Kind regards, Martijn.
Hi all,
I have a rather strange Problem.
I have a PersistentList containing PersistentMapping objects.
[{'Status': 'Read', 'Confirm': False, 'Read': DateTime('2008/01/24 16:03:32.508 GMT+1'), 'Expires': None, 'SenderID': 'DC83D1F1DB88CDE8', 'Date': DateTime('2008/01/24 15:51:50.998 GMT+1'), 'Message': 'Da ist ein permission test', 'ID': '20080124155150_4641@DC83D1F1DB88CDE8'}]
When do a tal:repeat="message here/getMessages" and a tal:replace="message" everything functions as expected. When i try tal:replace="message/ID" I get an Unauthorized Exception "You are not allowed to access 'a particular str' in this context"
I can access all DateTime objects. Only the strings a not allowed.
There is no difference when getMessages return of the Original list and when I build a new list with copies of the PersistentMapping objects.
To get this working I have to create new Dictionary from the Persistent Mappings add them to an normal List and return this list.
ret = []
for test in self.msglist : temptest = {} for (key,value) in test.items() : temptest[key] = value ret.append(temptest) return ret
That's a real performance killer as the list is read quite frequently.
Any Idea how to fix this.
Gerhard
------------------------------------------------------------------------
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
-- Martijn Jacobs Four Digits, Internet Solutions a: Willemsplein 15-1 6811 KB Arnhem NL kvk: 091621370000 | btw: 8161.22.234.B01 e-mail: martijn@fourdigits.nl | web: http://www.fourdigits.nl tel: +31 (0)26 44 22 700 | fax: +31 (0)84 22 06 117
Martijn Jacobs schrieb:
Does this problem only occure with message/ID ? Or also with message/Message or message/SenderId ?
The problem is on all Strings. DateTime Objects working.
Which version of zope are you using?
Zope 2.9.7-final, python 2.4.4, freebsd7 Gerhard -- ------------------------------------------------- Gerhard Schmidt | E-Mail: schmidt@ze.tum.de TU-München | WWW & Online Services | Tel: 089/289-25270 | Fax: 089/289-25257 | PGP-Publickey on Request
Gerhard Schmidt wrote at 2008-1-24 16:56 +0100:
I have a rather strange Problem.
I have a PersistentList containing PersistentMapping objects.
[{'Status': 'Read', 'Confirm': False, 'Read': DateTime('2008/01/24 16:03:32.508 GMT+1'), 'Expires': None, 'SenderID': 'DC83D1F1DB88CDE8', 'Date': DateTime('2008/01/24 15:51:50.998 GMT+1'), 'Message': 'Da ist ein permission test', 'ID': '20080124155150_4641@DC83D1F1DB88CDE8'}]
When do a tal:repeat="message here/getMessages" and a tal:replace="message" everything functions as expected. When i try tal:replace="message/ID" I get an Unauthorized Exception "You are not allowed to access 'a particular str' in this context"
Reconfigure your "error_log" object to not ignore "Unauthorized" exceptions, reproduce the error and then look at the corresponding traceback. I expect that the "message" object implements a "__bobo_traverse__" method (or gets one through "Five"). Zope is a bit stupid when "__bobo_traverse__" returns an object without security declarations -- such as e.g. a string. In this case, it insists that "getattr" must return the same object and raise "Unauthorized" otherwise. -- Dieter
Dieter Maurer schrieb:
Gerhard Schmidt wrote at 2008-1-24 16:56 +0100:
I have a rather strange Problem.
I have a PersistentList containing PersistentMapping objects.
[{'Status': 'Read', 'Confirm': False, 'Read': DateTime('2008/01/24 16:03:32.508 GMT+1'), 'Expires': None, 'SenderID': 'DC83D1F1DB88CDE8', 'Date': DateTime('2008/01/24 15:51:50.998 GMT+1'), 'Message': 'Da ist ein permission test', 'ID': '20080124155150_4641@DC83D1F1DB88CDE8'}]
When do a tal:repeat="message here/getMessages" and a tal:replace="message" everything functions as expected. When i try tal:replace="message/ID" I get an Unauthorized Exception "You are not allowed to access 'a particular str' in this context"
Reconfigure your "error_log" object to not ignore "Unauthorized" exceptions, reproduce the error and then look at the corresponding traceback.
I expect that the "message" object implements a "__bobo_traverse__" method (or gets one through "Five"). Zope is a bit stupid when "__bobo_traverse__" returns an object without security declarations -- such as e.g. a string. In this case, it insists that "getattr" must return the same object and raise "Unauthorized" otherwise.
Time 2008/01/25 12:01:53.125 GMT+1 User Name (User Id) DC83D1F1DB88CDE8 (DC83D1F1DB88CDE8) Request URL http://devportal:6080/portal_communications/manage_messagequeue Exception Type Unauthorized Exception Value You are not allowed to access 'a particular str' in this context Traceback (innermost last): Module ZPublisher.Publish, line 115, in publish Module ZPublisher.mapply, line 88, in mapply Module ZPublisher.Publish, line 41, in call_object Module Shared.DC.Scripts.Bindings, line 311, in __call__ Module Shared.DC.Scripts.Bindings, line 348, in _bindAndExec Module Products.PageTemplates.PageTemplateFile, line 113, in _exec Module Products.PageTemplates.PageTemplate, line 104, in pt_render - <PageTemplateFile at /TUM_Portal/portal_communications/manage_messagequeue> Module TAL.TALInterpreter, line 238, in __call__ Module TAL.TALInterpreter, line 281, in interpret Module TAL.TALInterpreter, line 715, in do_condition Module TAL.TALInterpreter, line 281, in interpret Module TAL.TALInterpreter, line 691, in do_loop_tal Module TAL.TALInterpreter, line 281, in interpret Module TAL.TALInterpreter, line 455, in do_optTag_tal Module TAL.TALInterpreter, line 437, in no_tag Module TAL.TALInterpreter, line 281, in interpret Module TAL.TALInterpreter, line 531, in do_insertText_tal Module Products.PageTemplates.TALES, line 227, in evaluateText Module Products.PageTemplates.TALES, line 221, in evaluate - URL: manage_messagequeue - Line 17, Column 9 - Expression: standard:'message/ID' - Names: {'container': <TUMCommunications at /TUM_Portal/portal_communications>, 'context': <TUMCommunications at /TUM_Portal/portal_communications>, 'default': <Products.PageTemplates.TALES.Default instance at 0x807299dd0>, 'here': <TUMCommunications at /TUM_Portal/portal_communications>, 'loop': <Products.PageTemplates.TALES.SafeMapping object at 0x8129168c0>, 'modules': <Products.PageTemplates.ZRPythonExpr._SecureModuleImporter instance at 0x80729a248>, 'nothing': None, 'options': {'args': ()}, 'repeat': <Products.PageTemplates.TALES.SafeMapping object at 0x8129168c0>, 'request': <HTTPRequest, URL=http://devportal:6080/portal_communications/manage_messagequeue>, 'root': <Application at >, 'template': <PageTemplateFile at /TUM_Portal/portal_communications/manage_messagequeue>, 'traverse_subpath': [], 'user': <LDAPUser 'DC83D1F1DB88CDE8'>} Module Products.PageTemplates.Expressions, line 185, in __call__ Module Products.PageTemplates.Expressions, line 173, in _eval Module Products.PageTemplates.Expressions, line 127, in _eval - __traceback_info__: message Module Products.PageTemplates.Expressions, line 338, in restrictedTraverse - __traceback_info__: {'path': ['ID'], 'TraversalRequestNameStack': []} Unauthorized: You are not allowed to access 'a particular str' in this context Regards Gerhard -- ------------------------------------------------- Gerhard Schmidt | E-Mail: schmidt@ze.tum.de TU-München | WWW & Online Services | Tel: 089/289-25270 | Fax: 089/289-25257 | PGP-Publickey auf Anfrage
Gerhard Schmidt wrote at 2008-1-25 12:04 +0100:
Dieter Maurer schrieb: ...
I expect that the "message" object implements a "__bobo_traverse__" method (or gets one through "Five"). Zope is a bit stupid when "__bobo_traverse__" returns an object without security declarations -- such as e.g. a string. In this case, it insists that "getattr" must return the same object and raise "Unauthorized" otherwise.
Time 2008/01/25 12:01:53.125 GMT+1 User Name (User Id) DC83D1F1DB88CDE8 (DC83D1F1DB88CDE8) Request URL http://devportal:6080/portal_communications/manage_messagequeue Exception Type Unauthorized Exception Value You are not allowed to access 'a particular str' in this context ... - __traceback_info__: message Module Products.PageTemplates.Expressions, line 338, in restrictedTraverse - __traceback_info__: {'path': ['ID'], 'TraversalRequestNameStack': []} Unauthorized: You are not allowed to access 'a particular str' in this context
This may be compatible with my assumption. Check line 338 in "Products/PageTemplates/Expressions.py". When this line is in the block handling the "__bobo_traverse__", then you have confirmed my assumption. In this case, you must either get rid of the message's "__bobo_traverse__" or let it return an object with security declarations (such as an "str" wrapper with an "__allow_access_to_unprotected_subobjects__=1" and "__roles__=None") or ensure that a "getattr" results in the same str or fix Zope. -- Dieter
Hi! I don't understand quite well this explanation but it interest me a lot (as you can read if you search for my all questions about __bobo_traverse__) do it need I put the __allow_access_to_unprotected_subobjects__=1 in the __bobo_traverse__ or in other place? I my last try to solve this issue in my case I try the __roles__ = None but this was an uncomplete solution Please can you complete my information? Thanks! 2008/1/25, Dieter Maurer <dieter@handshake.de>:
Gerhard Schmidt wrote at 2008-1-25 12:04 +0100:
Dieter Maurer schrieb: ...
I expect that the "message" object implements a "__bobo_traverse__" method (or gets one through "Five"). Zope is a bit stupid when "__bobo_traverse__" returns an object without security declarations -- such as e.g. a string. In this case, it insists that "getattr" must return the same object and raise "Unauthorized" otherwise.
Time 2008/01/25 12:01:53.125 GMT+1 User Name (User Id) DC83D1F1DB88CDE8 (DC83D1F1DB88CDE8) Request URL http://devportal:6080/portal_communications/manage_messagequeue Exception Type Unauthorized Exception Value You are not allowed to access 'a particular str' in this context ... - __traceback_info__: message Module Products.PageTemplates.Expressions, line 338, in restrictedTraverse - __traceback_info__: {'path': ['ID'], 'TraversalRequestNameStack': []} Unauthorized: You are not allowed to access 'a particular str' in this context
This may be compatible with my assumption.
Check line 338 in "Products/PageTemplates/Expressions.py". When this line is in the block handling the "__bobo_traverse__", then you have confirmed my assumption.
In this case, you must either get rid of the message's "__bobo_traverse__" or let it return an object with security declarations (such as an "str" wrapper with an "__allow_access_to_unprotected_subobjects__=1" and "__roles__=None") or ensure that a "getattr" results in the same str or fix Zope.
-- Dieter _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
-- Mis Cosas http://blogs.sistes.net/Garito Zope Smart Manager http://blogs.sistes.net/Garito/670
Garito wrote at 2008-1-26 13:37 +0100:
I don't understand quite well this explanation but it interest me a lot (as you can read if you search for my all questions about __bobo_traverse__) do it need I put the __allow_access_to_unprotected_subobjects__=1 in the __bobo_traverse__ or in other place?
The Zope weakness becomes obvious when "__bobo_traverse__" returns an object without security declarations. To work around this weakness you have to ensure that "__bobo_traverse__" returns an object with security declarations (in fact, it need to be public). This means, you must set the security declarations on the object returned by "__bobo_traverse__".
... 2008/1/25, Dieter Maurer <dieter@handshake.de>:
Gerhard Schmidt wrote at 2008-1-25 12:04 +0100:
Dieter Maurer schrieb: ...
I expect that the "message" object implements a "__bobo_traverse__" method (or gets one through "Five"). Zope is a bit stupid when "__bobo_traverse__" returns an object without security declarations -- such as e.g. a string. In this case, it insists that "getattr" must return the same object and raise "Unauthorized" otherwise.
Time 2008/01/25 12:01:53.125 GMT+1 User Name (User Id) DC83D1F1DB88CDE8 (DC83D1F1DB88CDE8) Request URL http://devportal:6080/portal_communications/manage_messagequeue Exception Type Unauthorized Exception Value You are not allowed to access 'a particular str' in this context ... - __traceback_info__: message Module Products.PageTemplates.Expressions, line 338, in restrictedTraverse - __traceback_info__: {'path': ['ID'], 'TraversalRequestNameStack': []} Unauthorized: You are not allowed to access 'a particular str' in this context
This may be compatible with my assumption.
Check line 338 in "Products/PageTemplates/Expressions.py". When this line is in the block handling the "__bobo_traverse__", then you have confirmed my assumption.
In this case, you must either get rid of the message's "__bobo_traverse__" or let it return an object with security declarations (such as an "str" wrapper with an "__allow_access_to_unprotected_subobjects__=1" and "__roles__=None") or ensure that a "getattr" results in the same str or fix Zope.
-- Dieter
Gerhard Schmidt wrote: [..]
Any Idea how to fix this.
What happens when you add __allow_access_to_unprotected_subobjects__ = 1 to your type definition? (Good old Zope 2 magic, yeah ...) Raphael
Gerhard
------------------------------------------------------------------------
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
participants (5)
-
Dieter Maurer -
Garito -
Gerhard Schmidt -
Martijn Jacobs -
Raphael Ritz